Skip to content

Commit 8f40818

Browse files
John ZakrzewskiJohn Zakrzewski
John Zakrzewski
authored and
John Zakrzewski
committed
configure tls for REST
Signed-off-by: John Zakrzewski <[email protected]>
1 parent 3ffa6a9 commit 8f40818

File tree

6 files changed

+195
-84
lines changed

6 files changed

+195
-84
lines changed

chart/Chart.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,8 @@ dependencies:
4848
version: 4.1.2
4949
repository: https://openebs.github.io/dynamic-localpv-provisioner
5050
condition: localpv-provisioner.enabled
51-
- name: cert-manager
52-
version: v1.12.10
53-
repository: https://charts.jetstack.io
54-
alias: cert-manager
55-
condition: cert-manager.enabled
51+
# - name: cert-manager
52+
# version: v1.12.10
53+
# repository: https://charts.jetstack.io
54+
# alias: cert-manager
55+
# condition: cert-manager.enabled

chart/templates/mayastor/apis/api-rest-deployment.yaml

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,6 @@ spec:
4545
image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ include "image_prefix" . }}-api-rest:{{ default .Values.image.tag .Values.image.repoTags.controlPlane }}"
4646
imagePullPolicy: {{ .Values.image.pullPolicy }}
4747
args:
48-
- "--dummy-certificates"
4948
- "--no-auth"
5049
- "--http=[::]:8081"
5150
- "--request-timeout={{ .Values.base.default_req_timeout }}"{{ if .Values.base.jaeger.enabled }}
@@ -56,6 +55,22 @@ spec:
5655
{{- if .Values.apis.rest.healthProbes.readiness.enabled }}
5756
- "--core-health-freq={{ .Values.apis.rest.healthProbes.readiness.agentCoreProbeFreq }}"
5857
{{- end }}
58+
{{- if not .Values.base.tls.enabled }}
59+
- "--dummy-certificates"
60+
{{- else }}
61+
- --cert-file=/etc/tls/tls.crt
62+
- --key-file=/etc/tls/tls.key
63+
# - --tls-client-ca-path=/etc/client_cert/ca.crt # CA cert for client verification with core-agent
64+
volumeMounts:
65+
- name: certs
66+
mountPath: /etc/tls
67+
readOnly: true
68+
# - name: ca-cert
69+
# mountPath: /etc/client_cert/ca.crt
70+
# subPath: ca.crt
71+
# readOnly: true
72+
73+
{{- end }}
5974
ports:
6075
- containerPort: 8080
6176
- containerPort: 8081
@@ -86,3 +101,13 @@ spec:
86101
periodSeconds: {{ .Values.apis.rest.healthProbes.liveness.periodSeconds }}
87102
timeoutSeconds: {{ .Values.apis.rest.healthProbes.liveness.timeoutSeconds }}
88103
{{- end }}
104+
{{- if .Values.base.tls.enabled }}
105+
volumes:
106+
- name: certs
107+
secret:
108+
secretName: api-rest-tls
109+
# - name: ca-cert
110+
# secret:
111+
# defaultMode: 420
112+
# secretName: agent-core-server-cert
113+
{{- end }}

chart/templates/mayastor/csi/csi-controller-deployment.yaml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,14 +117,21 @@ spec:
117117
imagePullPolicy: {{ .Values.image.pullPolicy }}
118118
args:
119119
- "--csi-socket=/var/lib/csi/sockets/pluginproxy/csi.sock"
120-
- "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"{{ if .Values.base.jaeger.enabled }}
120+
{{ if .Values.base.jaeger.enabled }}
121121
- "--jaeger={{ include "jaeger_url" . }}"{{ end }}
122122
{{- range $key, $val := .Values.csi.node.topology.segments }}
123123
- "--node-selector={{ $key }}={{ $val }}"
124124
{{- end }}
125125
- "--ansi-colors={{ .Values.base.logging.color }}"
126126
- "--fmt-style={{ include "logFormat" . }}"
127127
- "--create-volume-limit={{ .Values.csi.controller.maxCreateVolume }}"
128+
{{- if .Values.base.tls.enabled }}
129+
- "--rest-endpoint=https://{{ .Release.Name }}-api-rest:8080"
130+
- "--tls-client-ca-path=/etc/client_cert/ca.crt" # CA cert for client verification with rest
131+
{{- else }}
132+
- "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"
133+
{{- end }}
134+
128135
env:
129136
- name: RUST_LOG
130137
value: {{ .Values.csi.controller.logLevel }}
@@ -135,6 +142,18 @@ spec:
135142
volumeMounts:
136143
- name: socket-dir
137144
mountPath: /var/lib/csi/sockets/pluginproxy/
145+
{{- if .Values.base.tls.enabled }}
146+
- name: ca-cert
147+
mountPath: /etc/client_cert/ca.crt
148+
subPath: ca.crt
149+
readOnly: true
150+
{{- end }}
138151
volumes:
139152
- name: socket-dir
140153
emptyDir:
154+
{{- if .Values.base.tls.enabled }}
155+
- name: ca-cert
156+
secret:
157+
defaultMode: 420
158+
secretName: api-rest-tls
159+
{{- end }}

chart/templates/mayastor/operators/operator-diskpool-deployment.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,12 @@ spec:
4646
image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ include "image_prefix" . }}-operator-diskpool:{{ default .Values.image.tag .Values.image.repoTags.controlPlane }}"
4747
imagePullPolicy: {{ .Values.image.pullPolicy }}
4848
args:
49+
{{- if .Values.base.tls.enabled }}
50+
- --tls-client-ca-path=/etc/client_cert/ca.crt # CA cert for client verification with rest
51+
- "-e https://{{ .Release.Name }}-api-rest:8080"
52+
{{- else }}
4953
- "-e http://{{ .Release.Name }}-api-rest:8081"
54+
{{- end }}
5055
- "-n{{ .Release.Namespace }}"
5156
- "--request-timeout={{ .Values.base.default_req_timeout }}"
5257
- "--interval={{ .Values.base.cache_poll_period }}"{{ if .Values.base.jaeger.enabled }}
@@ -64,3 +69,23 @@ spec:
6469
valueFrom:
6570
fieldRef:
6671
fieldPath: metadata.name
72+
{{- if .Values.base.tls.enabled }}
73+
volumeMounts:
74+
- name: ca-cert
75+
mountPath: /etc/client_cert/ca.crt
76+
subPath: ca.crt
77+
readOnly: true
78+
# - name: agent-ca-cert
79+
# mountPath: /etc/client_cert/agent-ca.crt
80+
# subPath: agent-ca.crt
81+
# readOnly: true
82+
volumes:
83+
- name: ca-cert
84+
secret:
85+
defaultMode: 420
86+
secretName: api-rest-tls
87+
# - name: agent-ca-cert
88+
# secret:
89+
# defaultMode: 420
90+
# secretName: agent-core-server-cert
91+
{{- end}}

chart/values.yaml

Lines changed: 80 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,9 @@ base:
9090
containers:
9191
- name: etcd-probe
9292
command: ['sh', '-c', 'trap "exit 1" TERM; until nc -vzw 5 {{ .Release.Name }}-etcd {{.Values.etcd.service.port}}; do date; echo "Waiting for etcd..."; sleep 1; done;']
93+
# tls_enabled to enable TLS for gRPC, REST communications
94+
tls:
95+
enabled: true
9396

9497
metrics:
9598
# -- Enable the metrics exporter
@@ -841,80 +844,80 @@ localpv-provisioner:
841844
analytics:
842845
enabled: true
843846

844-
cert-manager:
845-
installCRDs: false
846-
image:
847-
# Controller image repository.
848-
repository: quay.io/jetstack/cert-manager-controller
849-
tag: 1.12.13
850-
webhook:
851-
image:
852-
# Webhook image repository.
853-
repository: quay.io/jetstack/cert-manager-webhook
854-
tag: 1.12.13
855-
affinity:
856-
nodeAffinity:
857-
preferredDuringSchedulingIgnoredDuringExecution:
858-
- weight: 100
859-
preference:
860-
matchExpressions:
861-
- key: kubernetes.azure.com/mode
862-
operator: In
863-
values:
864-
- system
865-
- weight: 90
866-
preference:
867-
matchExpressions:
868-
- key: openebs.io/engine=mayastor
869-
operator: In
870-
values:
871-
- acstor
872-
requiredDuringSchedulingIgnoredDuringExecution:
873-
nodeSelectorTerms:
874-
- matchExpressions:
875-
- key: kubernetes.io/arch
876-
operator: In
877-
values:
878-
- amd64
879-
- key: kubernetes.io/os
880-
operator: In
881-
values:
882-
- linux
883-
tolerations:
884-
- effect: NoSchedule
885-
key: CriticalAddonsOnly
886-
operator: Equal
887-
value: "true"
888-
affinity:
889-
nodeAffinity:
890-
preferredDuringSchedulingIgnoredDuringExecution:
891-
- weight: 100
892-
preference:
893-
matchExpressions:
894-
- key: kubernetes.azure.com/mode
895-
operator: In
896-
values:
897-
- system
898-
- weight: 90
899-
preference:
900-
matchExpressions:
901-
- key: openebs.io/engine=mayastor
902-
operator: In
903-
values:
904-
- acstor
905-
requiredDuringSchedulingIgnoredDuringExecution:
906-
nodeSelectorTerms:
907-
- matchExpressions:
908-
- key: kubernetes.io/arch
909-
operator: In
910-
values:
911-
- amd64
912-
- key: kubernetes.io/os
913-
operator: In
914-
values:
915-
- linux
916-
tolerations:
917-
- effect: NoSchedule
918-
key: CriticalAddonsOnly
919-
operator: Equal
920-
value: "true"
847+
# cert-manager:
848+
# installCRDs: false
849+
# image:
850+
# # Controller image repository.
851+
# repository: quay.io/jetstack/cert-manager-controller
852+
# tag: 1.12.13
853+
# webhook:
854+
# image:
855+
# # Webhook image repository.
856+
# repository: quay.io/jetstack/cert-manager-webhook
857+
# tag: 1.12.13
858+
# affinity:
859+
# nodeAffinity:
860+
# preferredDuringSchedulingIgnoredDuringExecution:
861+
# - weight: 100
862+
# preference:
863+
# matchExpressions:
864+
# - key: kubernetes.azure.com/mode
865+
# operator: In
866+
# values:
867+
# - system
868+
# - weight: 90
869+
# preference:
870+
# matchExpressions:
871+
# - key: openebs.io/engine=mayastor
872+
# operator: In
873+
# values:
874+
# - acstor
875+
# requiredDuringSchedulingIgnoredDuringExecution:
876+
# nodeSelectorTerms:
877+
# - matchExpressions:
878+
# - key: kubernetes.io/arch
879+
# operator: In
880+
# values:
881+
# - amd64
882+
# - key: kubernetes.io/os
883+
# operator: In
884+
# values:
885+
# - linux
886+
# tolerations:
887+
# - effect: NoSchedule
888+
# key: CriticalAddonsOnly
889+
# operator: Equal
890+
# value: "true"
891+
# affinity:
892+
# nodeAffinity:
893+
# preferredDuringSchedulingIgnoredDuringExecution:
894+
# - weight: 100
895+
# preference:
896+
# matchExpressions:
897+
# - key: kubernetes.azure.com/mode
898+
# operator: In
899+
# values:
900+
# - system
901+
# - weight: 90
902+
# preference:
903+
# matchExpressions:
904+
# - key: openebs.io/engine=mayastor
905+
# operator: In
906+
# values:
907+
# - acstor
908+
# requiredDuringSchedulingIgnoredDuringExecution:
909+
# nodeSelectorTerms:
910+
# - matchExpressions:
911+
# - key: kubernetes.io/arch
912+
# operator: In
913+
# values:
914+
# - amd64
915+
# - key: kubernetes.io/os
916+
# operator: In
917+
# values:
918+
# - linux
919+
# tolerations:
920+
# - effect: NoSchedule
921+
# key: CriticalAddonsOnly
922+
# operator: Equal
923+
# value: "true"

scripts/certs.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
#!/usr/bin/env bash
2+
set -eou pipefail
3+
4+
NAMESPACE="openebs"
5+
APP_NAME="api-rest"
6+
CERT_SECRET_NAME="api-rest-tls"
7+
CERT_DIR="$(dirname "$0")/certs"
8+
9+
rm -rf certs/
10+
mkdir -p certs/
11+
12+
# Create a self-signed root CA
13+
echo "Creating a self-signed root CA"
14+
openssl genrsa -out "${CERT_DIR}/ca.key" 4096
15+
openssl req -x509 -new -nodes -key "${CERT_DIR}/ca.key" -sha256 -days 3650 -out "${CERT_DIR}/ca.crt" -subj "/CN=api-rest-ca"
16+
17+
# Create TLS certificate for the API REST
18+
echo "Creating a TLS certificate for the API REST"
19+
openssl genrsa -out "${CERT_DIR}/server.key" 4096
20+
openssl req -new -key "${CERT_DIR}/server.key" -out "${CERT_DIR}/server.csr" -subj "/CN=${APP_NAME}.${NAMESPACE}.svc.cluster.local"
21+
openssl x509 -req -in "${CERT_DIR}/server.csr" -CA "${CERT_DIR}/ca.crt" -CAkey "${CERT_DIR}/ca.key" -CAcreateserial -out "${CERT_DIR}/server.crt" -days 3650 -sha256
22+
23+
# Convert the private key to PKCS#1 format if necessary
24+
echo "Verifying the RSA key format"
25+
if grep -q "BEGIN PRIVATE KEY" "${CERT_DIR}/server.key"; then
26+
echo "Converting key to RSA format"
27+
openssl rsa -in "${CERT_DIR}/server.key" -out "${CERT_DIR}/server-rsa.key"
28+
mv "${CERT_DIR}/server-rsa.key" "${CERT_DIR}/server.key"
29+
else
30+
echo "Key is already in RSA format"
31+
fi
32+
33+
# Create a Kubernetes secret
34+
echo "Creating a Kubernetes secret"
35+
kubectl create secret generic ${CERT_SECRET_NAME} \
36+
--from-file=tls.crt="${CERT_DIR}/server.crt" \
37+
--from-file=tls.key="${CERT_DIR}/server.key" \
38+
--from-file=ca.crt="${CERT_DIR}/ca.crt" \
39+
-n ${NAMESPACE}

0 commit comments

Comments
 (0)